3.13.13 — Control Mobile Code
What It Says
Section titled “What It Says”Control and monitor the use of mobile code.
What It Actually Means
Section titled “What It Actually Means”Mobile code is executable content delivered to your systems from external sources — JavaScript in web pages, ActiveX controls, Flash (legacy), macros in Office documents, PowerShell scripts downloaded from the internet.
What to control:
- Browser active content — JavaScript, Java applets, ActiveX. Modern browser security and SmartScreen handle much of this.
- Office macros — a primary malware delivery vector. Block macros from the internet by default.
- Downloaded scripts — PowerShell, VBScript, batch files from untrusted sources
- Email attachments with executable content — HTML with embedded scripts, Office files with macros
What the assessor checks:
- Are browsers hardened beyond default settings?
- Are Office macros from the internet blocked?
- Is there application control for script execution?
- Do you have any legacy applications requiring ActiveX?
For most environments, this comes down to browser hardening (GPO/Intune), Office macro policies, and Attack Surface Reduction rules in Defender.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are mobile code usage restrictions defined? | Policy defines which mobile code technologies are permitted and restricted |
| 2 | Are mobile code usage restrictions enforced? | Technical controls block or restrict untrusted code execution |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; procedures addressing mobile code; system security plan; system configuration settings for browser and application hardening; list of permitted mobile code technologies
People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers
Live demos they’ll ask for: Mechanisms implementing mobile code restrictions; attempt to execute restricted code
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “What mobile code technologies are permitted in your environment?”
- “Are Office macros from the internet blocked? Show me the policy.”
- “How are browsers hardened? Show me the GPO or Intune configuration.”
- “Do you have any legacy applications requiring ActiveX? What compensating controls exist?”
- “Show me your Attack Surface Reduction rules.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Default browser settings. Browsers at factory settings with everything allowed. Harden via GPO or Intune.
Office macros unrestricted. Users can open a malicious Word document and macros execute automatically. Block macros from the internet.
Legacy ActiveX dependency. An old internal application requires ActiveX. Document the compensating control — like running it in a sandboxed browser or isolated VM.
No ASR rules. Defender’s Attack Surface Reduction rules are available but not configured. Enable them in audit mode first, then block.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.4.8 — Whitelist or Blacklist Software | Application control complements mobile code restrictions |
| 3.14.2 — Deploy Anti-Malware | Endpoint protection catches mobile code that bypasses restrictions |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: SC.L2-3.13.13 | SPRS Weight: 1 point | POA&M Eligible: Yes